Electronic Security Awareness Guide

Introduction

Follow the tips provided in this guide and you will be helping to ensure the security of information systems, the integrity of data, the protection of personal information, and your own privacy.

A significant portion of the information assets of the College are comprised of either sensitive business information or the personal information of students, clients, and employees. The Alberta Freedom of Information and Protection of Privacy (FOIPP) Act requires that we have in place sufficient measures to protect our information assets. This guide, which focuses on protection of our electronic information assets, is one of the measures.

Information security is more than having a user ID and password to protect our systems. We are constantly threatened by viruses, worms, social engineers, spammers, and phishers. Technology alone cannot ensure information security. People can be the weakest link when it comes to security, but with security awareness education, people can be the driving force behind successful information security.

For more detailed information, including how to implement methods outlined in this guide, please call the Information Technology Help Desk at (780) 539-2933 or e-mail us.

Privacy Protection

PI - Not for Public Consumption

Personal information (PI) refers to recorded information about an identifiable individual. Examples of PI include a person's name, address and telephone numbers; race, origin, color or beliefs; unique assigned identifying numbers (such as Social Insurance Number, student ID, passport number); health, educational, employment, financial or criminal history; fingerprints or other biometric data; and opinions about the person or her personal views or opinions (except if they are about someone else).

The Internet has made it very easy to collect PI and profitable to sell it. Always exercise care when considering the release of personal information. If placing data on a website or commonly accessed storage area, be sure there is no PI included in the posting. When someone requests personal information, be very sure you know who they are and determine if they are authorized to access the information. Do not assume all requests are benign. Protect yourself and all information entrusted to you.

Safe Electronic and Physical Document Handling

When working with sensitive or personal information, keep it secure. Follow these general guidelines:

Ensure that sensitive information — whether it's on your monitor or your desk — is not visible to others.

Secure all hard copy mailings of sensitive or personal information in sealed envelopes.

Verify that an individual is willing to receive sensitive or personal information electronically before you send it.

If you are not sure if an individual is authorized to receive certain information, ask your supervisor.

Backups

Protect the information on your computer or laptop by backing up the data. Something — such as theft of computer, file corruption, equipment failure, viruses, accidental delete of a file(s), or natural disasters — could cause data loss. Back up your data at least once a week; back up critical files more often, as they change.

Portable Devices

Portable devices such as iPods and cell phones are small, transportable, and easily lost or stolen.Password protect or encrypt the data on your portable devices.

Portable and Remote Devices

Portable devices — including USB flash drives, laptops, external hard drives, CD-ROMS, PDAs (personal digital assistants), cell phones, and MP3 players or iPods — are convenient and provide us with options to work outside the office. They are small and easy to transport, but can easily be lost or stolen. As valuable as the equipment is, the information stored on it may well be more valuable. Here are some tips for keeping your portable equipment secure:

Password protect the device or encrypt the data stored on it.

Keep the device with you at all times or physically secure it in a locked desk or office.

Avoid leaving your portable device in a vehicle. If you do so, ensure that it is locked in the trunk out of sight.

Store personal or confidential information on your portable computing device only if you have permission to do so and only for as long as you need it.

Keep a detailed list of what is stored on the device and ensure all the data is backed up.

Ensure the device is virus-free before accessing it.

For security, you can leave confidential information stored on GPRC file servers instead of on a personal device.

Passwords

Passwords — Your First Line of Defense!

Effective passwords protect your computer and other devices, such as PDAs or Blackberries, from being used by others. When selecting a password, try to make it as difficult as possible for someone to guess. This is a simple yet critical step in protecting the confidentiality and integrity of information.

Create a password that is at least eight characters long, is a combination of letters and characters, and contains at least on uppercase letter and at least one special character — for example AbGr#38n. Do not use family names, birthdays, or common words found in the dictionary. Consider using a mnemonic to help you remember your password or intentionally misspelling a word.

To further improve your security, do not allow your computer to remember passwords, tempting as that may be. If you use the same password in multiple locations, be aware of the risks — if a hacker cracks that password, that person will have access to all locations where that password was used.

Never share your password, not even with your best friend! Never post your passwords, such as on a sticky note attached to your monitor for everyone to view! Protect your passwords!

E-mail, SPAM, and Messaging

E-Mail

Here are a few guidelines to follow to cut down on the spam you receive:

Delete the junk e-mail.

Do not click the 'unsubscribe' or 'remove' link, as this will just confirm the validity of your e-mail address, meaning that you will receive even more junk e-mail.

Do not give out your e-mail address without knowing how it will be used

Disable the automatic downloading of graphics in HTML e-mail

Try to think of your e-mail as a postcard rather than a letter inside a sealed envelope. What sort of information would you write and send over the internet if you knew hundreds of people could potentially read the postcard before it arrives at its final destination?

Information you send or attach to an e-mail can be intercepted, misused, stolen, or altered. This could lead to the accidental release of sensitive information. What you write may be read by an audience larger than you intended. With a click of a button your e-mail could be sent to the wrong address and/or forwarded to many others — along with that attachment containing sensitive information!

Carefully check the recipient address(es) before sending an e-mail. When sending an e-mail to many recipients, always place the addresses in the BCC field and use your open e-mail address in the TO field. This way, someone such as a spammer cannot steal the e-mail addresses of those you are corresponding with.

SPAM

SPAM is the unsolicited 'junk' e-mail that clogs your inbox. Little can be done to prevent spam because the internet is a public network; however, GPRC successfully filters about 98% of incoming mail.

Instant Messaging

Instant messaging (IM) offers two-way communication in real-time. While instant messaging is convenient, there are some security risks to be aware of. It can be difficult to determine who you are chatting with, and accounts can be compromised. It is easy to send files or links through IM, and anti-virus software does not monitor IM traffic.

Communicate only with people who are listed in your contact or buddy lists.

Never open pictures, download files, or click links in a message from people you do not know. If you receive an instant message from someone you don't know, immediately close the message.

Do not use the feature that allows you to log in automatically. If someone else uses that computer, they will be able to impersonate you.

The Internet

The Internet and Wireless

Did you know that your computer can be infected with a virus, spyware, or malware simply by visiting a website? No user input required. Practice safe surfing!

Tips to keep you safe online:

Never five out your personal information or anyone else's, unless you are sure you know who you are giving the information to and why.

If you do give out personal information, ensure the site you are on is a secure website. Look for the symbol of the locked padlock in your browser window and that the URL begins with 'https'.

Keep your computer or laptop updated with the latest patches for all your software, paying special attention to the operating system and web browser.

Always have a firewall enabled.

When a pop-up warns you about a bad site certificate, think twice before going to the site. A warning is there for a reason.

Before closing the browser, delete all your browsing history and personal information.

Telephone

Basic Phone Security

In Canada, during 2006, there were 7,778 victims of phone fraud the losses of $16,283,776.

Telephone security issues range from toll fraud to calling card fraud. Be careful what information you reveal over the phone. While the actual phone lines are secure, someone could be within hearing distance of you phone call and eavesdropping. Use strong passwords for your voice-mail, and never transfer callers to an outside line.

It is very easy to manipulate caller ID. Do not trust the call display to determine who the caller is.

Mobile Phone Security

Mobile phones present the same security tasks as computers do.

Do not leave the device unattended.

To avoid viruses, do not install illegal software or open attachments sent to you in e-mail.

Password protect your screen lock to prevent the phone being used or your personal information viewed if the device is stolen or lost.

Be careful what you discuss when using a mobile device.

Disabled the Bluetooth component on your device until you need it. An attacker can steal information from your device such as your call logs and addresses without your knowledge and without access to the device if the Bluetooth connection is turned on and set to 'discoverable'.

Virus Protection

Virus Protection

Malware, malicious software, is designed to infect or damage your computer without your consent.

New viruses are discovered daily, and it is important that you always have up-to-date software running on your computer. At GPRC, we use a product called Sophos that is configured to automatically update.

It is available for both staff and students and can be installed at home. For more information, or if you believe you have a virus, please contact the Information Technology helpdesk at (780) 539-2933.

Adware and Spyware Protection

Make sure you are running an up-to-date, properly configured virus scanner at all times.

Spyware is more dangerous as it collects personal information about the user — such as passwords and account information — without their knowledge or consent, and then transmits that information to a third party.

What can you do to protect yourself from adware and spyware?

Do not click on links in pop-up windows.

If a website seems suspicious, close the browser window.

Be wary of free downloadable software, such as KaZaa/LimeWire.

Read the EULA (end user license agreement) before clicking on the accept button.

Identity

Social Engineering

You should always ask for ID when someone shows up to 'fix' your computer or the broken coffee machine.

Social engineering is a non-technical kind of intrusion that relies on human interaction and tricking people into breaking security procedures. Social Engineers have strong people skills and are very good at gaining people's trust. This is how they circumvent the technology, by manipulating people. Here are some common forms of social engineering:

A phone call asking for confidential information such as a user ID or password.

Dumpster diving for memos or other confidential information.

Someone walking in off the street pretending to be an outside consultant, a repairman, or laborer.

Phishing

Phishing is a form of social engineering. Phishers will try to trick you into revealing your username, password, address, phone numbers, PIN code, Social Insurance Number, etc. For Example, you might be sent an e-mail that looks like it came from your bank. You click on the URL and you end up on what looks like your bank's website but isn't. Note that no reputable company will ask for personal information via e-mail. 'Speak phishing' send e-mails that appear genuine to all the employees or members within a certain company, government agency, organization, or group.

Identity Theft

Shred all documents containing personal information before throwing them in the garbage.

Identity theft is one of the fastest growing cyber crimes and will continue to be a concern in the future.

Keep your computer programs updated, including the operating system and anti-virus software.

Do not open files, click on links, or download programs sent to you by people or companies you do not know. If you know the person, make sure you were expecting the data.

Use a personal firewall on your computer and use a spam filter to reduce the number of fraudulent e-mails you receive.

Do not give out personal information over the phone to unknown callers or through e-mail to unknown recipients.

Secure your personal information in your home and always shred any document containing personal information before you throw it away.

Review your bills and statements regularly so you notice any irregularities in your bank accounts.

Run a credit report at least once per year.

Protect your credit cards, bank account numbers, and bank PINs.

Protect your PINs and passwords. Never share this information with anyone.

Reporting

Reporting a security Incident or Problem

Information security breaches could include someone breaking into your computer or account and using your e-mail address. Other signs of potential incidents might include the presence of files on your computer that you're not familiar with, changes to your hardware or software configurations, services that are no longer accessible or if your shuts down for no apparent reason. If something seems amiss with your computer notify your supervisor and the Information Technology Helpdesk immediately.

Personal or sensitive information may be lost if you forget your briefcase while travelling; or your car, hotel room, or home is broken into; or your laptop, cell phone, or PDA is lost or stolen. Whether the sensitive information is paper-based or electronic, its loss is a security incident.

If you think personal or sensitive information has been misused or accidentally lost or disclosed, you must notify your supervisor or FOIP coordinator immediately. The FOIP coordinator can determine what needs to be corrected to ensure it doesn't happen again, and the department can take steps to minimize any harm to individuals that may result from the loss.

If the security breach relates to College information systems, also immediately notify the IT helpdesk at helpdesk@gprc.ab.ca

Information Security Links

Information about security and computers is always subject to change. Use this guide and the links below to stay informed about the latest information on Electronic Information Security.